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Abstract 

Oblivious transfer, a central functionality in modern cryptography, allows a party to send two one- 
bit messages to another who can choose one of them to read, remaining ignorant about the other, 
whereas the sender does not learn the receiver's choice. Oblivious transfer the security of which 
is information-theoretic for both parties is known impossible to achieve from scratch. — The joint 
behavior of certain bi-partite quantum states is non-local, i.e., cannot be explained by shared classical 
information. In order to better understand such behavior, which is classically explainable only by 
communication, but does not allow for it, Popescu and Rohrlich have described a "non-locality 
machine": Two parties both input a bit, and both get a random output bit the XOR of which is the 
AND of the input bits. — We show a close connection, in a cryptographic sense, between OT and 
the "PR primitive." More specifically, unconditional OT can be achieved from a single realization of 
PR, and vice versa. Our reductions, which are single-copy, information-theoretic, and perfect, also 
lead to a simple and optimal protocol allowing for inverting the direction of OT. 

1 Introduction 

1.1 Oblivious Transfer and Oblivious Keys 

Oblivious transfer |11|. OT for short, is a functionality of great importance |S] in cryptography or, more 
precisely, secure two-party computation, where two parties, who mutually distrust each other, want to 
collaborate with the objective of achieving a common goal, e.g., evaluate a function to which both hold 
an input — but without revealing unnecessary information about the latter. In (chosen one-out-of-two 
bit) OT, one of the parties, the sender, inputs two bits xo and x\, whereas the other party has a choice 
bit c. The latter then learns x c , but remains ignorant about the other message bit xi- c . The sender, on 
the other hand, does not learn any information about c. 

Various ways, based on public-key encryption, for instance, have been proposed for realizing OT, 
where the security for one of the parties, however, is only computational. In fact, oblivious transfer is 
impossible to achieve in an unconditionally secure way for both parties — even when they are connected 
by a quantum channel On the other hand, it has been shown that unconditionally secure OT can 
be reduced to weak information-theoretic primitives such as simply a noisy communication channel [H], 
[5] or so-called universal OT 

A recent result shows that OT can be stored: Given one realization of OT, a sample of distributed 
random variables X (known to A) and Y (known to B) can be generated, where the joint distribution 
Pxy is such that X and Y can be used to realize an instance of OT. We will call the distributed pair of 
random variables (X, Y) an oblivious key or OK for short; in some sense, as we will see, this is the local 
(hidden- variable) part of OT (as opposed to non-local systems and behavior, see Section 1.2). Another 
consequence — observed in — is that, since OK is symmetric, OT is, too. This solved a long-standing 
open problem posed in 0. 



1.2 Quantum Non-Locality and the Popescu-Rohrlich Primitive 

Entangled but possibly distant two-partite quantum systems can show a joint behavior under measure- 
ments that cannot be explained by "locality" or hidden variables, i.e., distributed classical information; 
such behavior is called non-local. There exists, for instance, a so-called maximally entangled state 
\ip~) = ( 1 1 ) — \10))/^/2 with the following properties. If the parties A and B controlling the two parts 
of the system both choose between two fixed possible bases for measuring their system in (where this 

* Departement d'Informatiquo ot R.O., Universite de Montreal, Canada. Email: wolf@iro.umontreal.ca. 

t Departement d'Informatique et R.O., Universite de Montreal, Canada. Email: wullschj@iro.umontreal.ca. 



1 



pair of bases is not the same for the two parties), where the measurement outcome can be or 1 in both 
cases, then the following statistics are observed. (Here, the two possible bases for each party are called 
and 1, too.) 



Poo 
Poi 
Pio 
Pn 



= Prob [ outcome A = outcome B | basis A = , basis B = ] = , 

= Prob [ outcome A = outcome B | basis A = , basis B = 1 ] = 1/4 , 

= Prob [ outcome A = outcome B | basis A — 1 , basis B = ] = 1/4 , 

= Prob [outcome A = outcome B | basis A = 1 , basis B = 1] = 3/4 . 



It has been shown that such statistics are impossible to achieve between two parties who cannot commu- 
nicate when they share arbitrary classical information only (i.e., agree on a classical strategy beforehand). 
More precisely, the so-called CHSH Bell inequality is violated since 

Poo +Po\ +Pio < Pn 

holds. It is, on the other hand, important to note that this non-local behavior is "weaker" that commu- 
nication between A and B and does not allow for such — fortunately, since such a possibility would be in 
contradiction with relativity. 

With the objective of achieving a better understanding of such "non-local behavior," Popescu and 
Rohrlich |l(Jj defined a "non-locality primitive" behaving in a similar way, but where the probabilities 
Pij are 

Poo = Poi = Pio = , pn = 1 . 

In other words, both parties have an input bit (corresponding to the choice of the basis in the quantum 
model) U and V and get an output bit X and Y, respectively, where X and Y are random bits satisfying 

X ®Y = U -V =U AND V . 

It is important to note, however, that the behavior of this "PR primitive" cannot, although it does 
not allow for communication either, be obtained from any quantum state — it violates a "quantum Bell 
inequality" that is even valid for the behavior of quantum states. On the other hand, the primitive 
does allow for perfectly simulating the behavior of a maximally entangled quantum bit pair under any 
possible measurement 0]. The latter has been shown possible, for instance, also between parties who may 
communicate one classical bit ^2] El- but the possibility of achieving the same with the PR primitive 
is of particular interest since this functionality does not allow for any communication. 

1.3 Two-Party Information-Theoretic Primitives and Reductions 

The three information-theoretic primitives or two-party functionalities described in the previous sections 
can be modeled by their mutual input-output behavior, i.e., by a conditional probability distribution 
Pxy\uv, where U, V, X, and Y are the two parties' input and output, respectively (see Figure 1). 





OT 













OK 



C,Y 





PR 













where Y = Xc 



where a © b = x ■ y 



Figure 1: Oblivious transfer, oblivious key, and the Popescu- Rohrlich primitive. 

In Section 2, we will show simple perfect and single-copy information-theoretic reductions between the 
three primitives — in some sense, they are, provocatively speaking, all the same. 
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More precisely, a single-copy reduction of a primitive P2 to another Pi means that the functionality 
P2 can be realized given one instance of P%. Hereby, no computational assumptions have to be made. 
Perfect means that no non-zero failure probability has to be tolerated. 

Note, however, that the reduction protocol may use communication; of course, because from a "com- 
munication and locality viewpoint," the three primitives are very different: OT allows for communication, 
PR does not, but is non-local, whereas OK is simply distributed classical information, i.e., "local." 

Although we keep an eye on this communication in the reductions — all our reductions minimize the 
required amount of communication — , our interest is privacy: When P2 is obtained from P\, say, then 
both parties must not obtain more information than specified for Pi- In other words, our viewpoint 
is the one of cryptography rather than of communication-complexity theory. Note that our reductions 
have the property that a party who is misbehaving in the protocol cannot obtain more information than 
specified (but possibly violate the privacy of her proper inputs). 

2 Single-Copy Reductions Between OT, OK, and PR 

2.1 PR from OT 

Lemma 1. Using one instance of OT , we can simulate PR. 

Proof. B chooses c = y. A chooses a at random and sends xq = a and x\ — x © a with OT. B receives 
x c and outputs b — x c . A outputs a. We have b = x c = a © xc — a © xy. □ 

2.2 OK from PR 

Lemma 2. Using one instance of PR, we can simulate OK. 

Proof. A and B choose x and y at random. B outputs C — y and Y — b. A outputs Xq — a and 
Xi = a © x. We have Y = b = xy®a = X C - □ 

2.3 OK from OT 

Lemma 3. Using one instance of OT , we can simulate OK. 

Proof. Follows directly from Lemmas ^ an d El We get the following protocol: A and B choose all their 
input at random. A outputs her inputs, B his input and his output. □ 

2.4 OT from PR 

Lemma 4. Using one instance of PR, we can simulate OT using one bit of communication. 

Proof. A inputs x = xq ® x\. B inputs y — c. A gets a and B gets b. A sends m — xq a to B. B 
outputs y — m © b. We have y = m®b = x ®a(Bb = xo(B (xq © X\)c = x c . 

Since A does not receive any message from B, she gets no information about c. B only receives one 
bit, which is equal to i c . □ 

In PR, no communication takes place, but we are able to send one bit using OT. Hence, at least one 
bit of communication is needed to simulate OT by PR. 

2.5 PR from OK 

Lemma 5. Using one instance of OK, we can simulate PR using two bits of communication. 
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Proof. A sends m a = x © X © Xi to B. B sends to^ = y © C to A. A outputs a = X © (X © Xi)mft + 
m a m b . B outputs b = Y © Cm a . We have X © Y = (X © Xi)C. Hence 

a © b = X © (X Q © Xi)mb © m a m & © Y © Cm a 

= m a m b © (X © Xi)m fc © Cm a © (X © X{)C 
= {m a ®X( j ®X 1 )(>m b ®C)=xy 

They both send their inputs "XORed" with {Xq © X\ ) and C, respectively. Since the other party has 
no information about these values, this is a one-time pad, and they receive no information about the 
other's input. □ 

We show that the two bits of communication are optimal in this case. Let us assume that there exists 
a protocol using only one-way communication from A to B. Since B can calculate his output bo for both 
inputs for y = and b\ for y = 1, we have a © bo © a © b\ = x{l © 0), and, therefore, 6 © &i = 



2.6 OT from OK 

Lemma 6. Using one instance of OK, we can simulate OT using three bits of communication. 

Proof. Follows directly from Lemmas 4 and 5. Alternatively, we can use the BBCS protocol PQ, which 
requires three bits of communication as well. Here, B sends m = c © C to A, whereas A sends too — 
xq © X m and mi = x\ © Xi^ m to £?. B outputs y = m c © Y. We have y = m c © Y = x c © X c€Bm © Y = 
£ c © X c © Y = x c . 

.B's message does not give any information about c to A, since it is "one-time padded" with the value 
C about which A has no information. B knows either Xq or X\ but has no information about the other 
value. So, either xq or X\ gets "one-time padded," and B obtains information about that value, even if 
he is given the other value. □ 

Three bits of communication are optimal: First of all, two-way communication is needed. If A would 
send less than two bits, but still in such a way that B would get the bit he wants, then A would have to 
know which bit B has chosen. 



3 Optimally Reversing OT 

OT is a priori an asymmetric functionality, and the possibility of inverting its orientation has been 
investigated, for instance, in 0, where a protocol was given using n realizations of OT from B to 
A — called TO — in order to obtain one realization from A to B, where a failure probability exponentially 
small in n has to be tolerated. Since, however, PR is a symmetric functionality, our reductions imply 
that OT is as well. More precisely, the reductions of OT to PR and vice versa can be put together to the 
following protocol inverting OT. This reduction of OT to TO given in ^3], is single-copy, information- 
theoretic, perfect, and minimizes the required additional communication. 

3.1 OT from TO 

Lemma 7. Using one instance of TO, we can simulate OT using one bit of communication. 

Proof. A inputs xq © x\ to TO. B chooses a random bit r and inputs r and r © c to TO. A receives a 
and sends m — xq (3 a to B. B outputs y — r © m. We have y = rffim = rffia;offirffi (xq © Xi)c = x c . 

A does not get any message from B, so she does not get any information about c. B get one message 
by A, which is either equal to bo, if the XOR of his input values is 0, and b% otherwise. If he does not 
choose r at random, A might be able to get the value c, but there is no advantage for B. □ 

The protocol is obviously optimal since A can communicate one bit with B using OT — which she cannot 
using TO. 
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3.2 OK from KO 

Finally, we show that an OK can easily be reversed, without any communication. 

Lemma 8. Using one instance of KO, we can simulate OK without any communication. 

Proof. A gets Xq and X\ from KO, and B gets C and Y. A outputs C = Xq © X\ and Y = Xq, and B 
outputs X = Y and Ai = Y © C. 

We have K = X c and A^ = Y © C*(X © Xi) = X © (A © Xi)C © C(A © Xi) = A = Y. □ 

The OK primitive can also be defined in a symmetric way: It is the distribution that we get when both 
A and B input a random bit to PR. 

4 Concluding Remarks 

We have shown a close connection between the important cryptographic functionality of oblivious transfer 
and quantum non-locality, more precisely, the "non-locality machine" of Popescu and Rohrlich: they 
are, modulo a small amount of (classical) communication, the same — one can be reduced to the other. 
As a by-product, we have obtained the insight that OT is symmetric: One instance of OT from B to A 
allows for the same functionality from A to B in a perfect information-theoretic sense. Figure 2 shows 
the reductions between the different functionalities discussed above. The (optimal) numbers of bits to 
be communicated are indicated. 




Figure 2: The reductions between OT, TO, PR, OK, and KO, and their communication costs. All 
reductions are prefect and optimal. 

In has been shown in 0] that the behavior of an EPR pair can be perfectly simulated without any 
communication if one realization of the PR primitive is available. However, this reduction, although it 
yields the correct statistics with respect to the two parts' behavior, is not "cryptographic" or "private" 
in the sense of our reductions: The parties are tolerated to obtain more information about the other 
party's outcome than they would when actually measuring an EPR pair. We state as an open problem 
to simulate, in this stronger sense, the behavior of an EPR pair using the PR primitive. 
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